Password Savvy: Harder-to-hack passwords you can remember

By
Alec Ramsay on
October 8th, 2012

Password Savvy is a public service to teach people what strong passwords are and how to make ones that are easy to remember.

People frequently use weak passwords–passwords that are short and all lowercase letters with no caps, numbers, or symbols–either because they don’t know how to create strong passwords or because they try to make their passwords easier to remember (or both). Even so, people still frequently forget passwords!

The classic xkcd comic strip on password strength parodies attempts to make strong passwords by tweaking uncommon words (like “troubador”) with random capital letters, letter-number substitutions (like ‘4’ for ‘A’), and symbols (like ‘#’). It’s spot on that lone uncommon words with random changes are hard to remember. The comic suggests the approach of creating much stronger and passwords that you can remember by simply appending four random common words (like “correct,” “horse,” “battery,” and “staple”). That can be a lot of typing for a password that you type regularly though.

Password Savvy takes a different approach to creating strong passwords that you can remember. It is an homage to old CompuServe-style passwords that were two random words separated by a random symbol. By combining two random words, these passwords created phrases that were easy to remember. Moreover, using two words increased the length of passwords–a primary driver of password strength (entropy). Separating the two words with a symbol also made these passwords stronger, because using a symbol increased the size of the “alphabet” that a password cracker had to consider–the other driver of password strength. At the same time, it didn’t add complexity for the person, as the symbol always separated the two words.

Password Savvy builds on this strategy, by also capitalizing some letters and substituting numbers for some letters that look similar. However, by using patterns for these “decorations,” you can still remember these passwords, even though they’re strong. They’re also considerably shorter than four random words!